{"id":1818,"date":"2024-01-10T15:03:50","date_gmt":"2024-01-10T18:03:50","guid":{"rendered":"https:\/\/reversingthread.info\/?p=1818"},"modified":"2024-06-20T13:35:32","modified_gmt":"2024-06-20T16:35:32","slug":"the-finals-defeating-theia-packer","status":"publish","type":"post","link":"https:\/\/reversingthread.info\/index.php\/2024\/01\/10\/the-finals-defeating-theia-packer\/","title":{"rendered":"The Finals – Defeating Theia Anti-Tamper"},"content":{"rendered":"\n

The Finals<\/h2>\n\n\n\n

The Finals is a multiplayer first-person shooter game developed by Embark Studios. They were able to attract a lot of users from the beta to the launch, and it’s currently one of the most played games on steam.<\/p>\n\n\n\n

They were successful in attracting a large number of users from the beta phase to the official launch, and currently, they are one of the most popular games being played on Steam.<\/p>\n\n\n\n

<\/p>\n\n\n\n

Theia <\/h2>\n\n\n\n

Theia, created by ZeroItLab, is a tool designed to prevent tampering, debugging, and obfuscation in various games such as The Finals, EA FC 24, and the discontinued The Cycle Frontier game. It fills a void left by the acquisition of Byfron Company when Roblox purchased them. Theia offers similar features to Byfron, including anti-debugging, anti-analysis, obfuscation of game pages, and hardware ID tracking. In this post, our main focus will be on decrypting all the game pages.<\/p>\n\n\n\n

<\/p>\n\n\n\n

Defeating their Encryption<\/h2>\n\n\n\n

Initially, it should be noted that the process at hand is highly time consuming. The individuals responsible for this task have effectively concealed, encrypted, and implemented measures to obstruct analysis of their system. In order to thoroughly examine it, we must overcome certain protective measures, granting us greater freedom to conduct our analysis.<\/p>\n\n\n\n

1. Get the game running without EAC<\/h3>\n\n\n\n

To achieve greater freedom, we should eliminate EAC (Easy Anti Cheat), thereby allowing us to solely focus on handling user-mode protections and giving us control over the Kernel.<\/p>\n\n\n\n

However, the developers of Theia are well aware of this and have not made it easy for us to prevent their Anti-Cheat from loading. They persistently communicate with the driver to confirm its loading status. If it is not loaded, they simply prevent the process from running. So, what we can do about it? Well, we create a fake EAC driver and reply to their requests as they want. <\/p>\n\n\n\n

Initially, we need to intercept DeviceIoControl to monitor the exchanged data during communication with the EAC driver. Once we have gathered this information, we can construct our own EAC driver and respond accordingly.<\/p>\n\n\n\n

The following is a compilation of IOCTL requests made to the EAC Driver. However, the specific names of these IOCTLs are currently unknown.<\/p>\n\n\n\n

0x226003<\/strong> - We return the following bytes [0x19, 0x04, 0x00, 0x00]<\/em>\n\n0x226013<\/strong> - If that is the first request we return [0x04, 0x00, 0x00, 0x00]<\/em> else we return [01 00 00 00]<\/em>\n\n0x22e017<\/strong> - We can just return STATUS_SUCCESS<\/code><\/pre>\n\n\n\n
Knowing those IOCTL, our task becomes crafting the fake EAC driver. We should ensure that the driver employs the same device, event names, and effectively handles the IOCTL requests. Then compile and load the driver.<\/p>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
#define IOCTL_UNKNOWN_BASE                                              FILE_DEVICE_UNKNOWN<\/span><\/span>\n#define IOCTL_EAC_DEBUG_ECHO                                            <\/span>CTL_CODE<\/span>(IOCTL_UNKNOWN_BASE, <\/span>0x0800<\/span>, METHOD_BUFFERED, FILE_ANY_ACCESS)<\/span><\/span>\n#define IOCTL_EAC_UNK0                                                    <\/span>0x226003<\/span><\/span>\n#define IOCTL_EAC_UNK1                                                    <\/span>0x226013<\/span><\/span>\n#define IOCTL_EAC_UNK2                                                    <\/span>0x22e017<\/span><\/span>\n<\/span>\nPDRIVER_OBJECT g_pDriverObject <\/span>=<\/span> nullptr;<\/span><\/span>\nPDEVICE_OBJECT g_pDeviceObject <\/span>=<\/span> nullptr;<\/span><\/span>\n<\/span>\nWCHAR g_szDeviceName[<\/span>260<\/span>];<\/span><\/span>\nWCHAR g_szDeviceLnkName[<\/span>260<\/span>];<\/span><\/span>\n<\/span>\nBOOLEAN    g_IsFirstCall <\/span>=<\/span> TRUE;<\/span><\/span>\nKSPIN_LOCK g_SpinLock;<\/span><\/span>\n<\/span>\nHANDLE eventHandle1, eventHandle2, eventHandle3;<\/span><\/span>\n<\/span>\nPVOID  sectionBaseAddress <\/span>=<\/span> NULL;<\/span><\/span>\nHANDLE sectionHandle <\/span>=<\/span> NULL;<\/span><\/span>\n<\/span>\nNTSTATUS <\/span>CreateNamedEvent<\/span>(PCWSTR eventName, PHANDLE pEventHandle)<\/span><\/span>\n{<\/span><\/span>\n    UNICODE_STRING    uniName;<\/span><\/span>\n    OBJECT_ATTRIBUTES objAttr;<\/span><\/span>\n    NTSTATUS          status;<\/span><\/span>\n<\/span>\n    <\/span>RtlInitUnicodeString<\/span>(<\/span>&<\/span>uniName, eventName);<\/span><\/span>\n    <\/span>InitializeObjectAttributes<\/span>(<\/span>&<\/span>objAttr, <\/span>&<\/span>uniName, OBJ_CASE_INSENSITIVE <\/span>|<\/span> OBJ_KERNEL_HANDLE, NULL, NULL);<\/span><\/span>\n<\/span>\n    status <\/span>=<\/span> <\/span>ZwCreateEvent<\/span>(pEventHandle, EVENT_ALL_ACCESS, <\/span>&<\/span>objAttr, SynchronizationEvent, FALSE);<\/span><\/span>\n<\/span>\n    <\/span>return<\/span> status;<\/span><\/span>\n}<\/span><\/span>\n<\/span>\nNTSTATUS <\/span>CreateFakeEACSection<\/span>(PHANDLE sectionHandlePtr, PLARGE_INTEGER maximumSize)<\/span><\/span>\n{<\/span><\/span>\n    UNICODE_STRING    sectionName;<\/span><\/span>\n    OBJECT_ATTRIBUTES objAttr;<\/span><\/span>\n    NTSTATUS          status;<\/span><\/span>\n<\/span>\n    <\/span>RtlInitUnicodeString<\/span>(<\/span>&<\/span>sectionName, L<\/span>"<\/span>\\\\<\/span>BaseNamedObjects<\/span>\\\\<\/span>EasyAntiCheat_EOSBin<\/span>"<\/span>);<\/span><\/span>\n    <\/span>InitializeObjectAttributes<\/span>(<\/span>&<\/span>objAttr, <\/span>&<\/span>sectionName, OBJ_CASE_INSENSITIVE <\/span>|<\/span> OBJ_KERNEL_HANDLE, NULL, NULL);<\/span><\/span>\n<\/span>\n    maximumSize<\/span>-><\/span>QuadPart <\/span>=<\/span> <\/span>4096<\/span>; <\/span>\/\/ Set the size of the section (e.g., 4 KB)<\/span><\/span>\n<\/span>\n    status <\/span>=<\/span> <\/span>ZwCreateSection<\/span>(sectionHandlePtr, SECTION_ALL_ACCESS, <\/span>&<\/span>objAttr, maximumSize, PAGE_READWRITE, SEC_COMMIT,<\/span><\/span>\n        NULL);<\/span><\/span>\n    <\/span>if<\/span> (<\/span>!<\/span>NT_SUCCESS<\/span>(status))<\/span><\/span>\n    {<\/span><\/span>\n        <\/span>return<\/span> status;<\/span><\/span>\n    }<\/span><\/span>\n    <\/span>return<\/span> status;<\/span><\/span>\n}<\/span><\/span>\n<\/span>\n<\/span>\nVOID <\/span>DriverUnload<\/span>(PDRIVER_OBJECT pDriverObj)<\/span><\/span>\n{<\/span><\/span>\n    NTSTATUS status <\/span>=<\/span> STATUS_SUCCESS;<\/span><\/span>\n<\/span>\n    <\/span>\/\/close events<\/span><\/span>\n    <\/span>if<\/span> (eventHandle1 <\/span>!=<\/span> NULL)<\/span><\/span>\n    {<\/span><\/span>\n        <\/span>ZwClose<\/span>(eventHandle1);<\/span><\/span>\n    }<\/span><\/span>\n<\/span>\n    <\/span>if<\/span> (eventHandle2 <\/span>!=<\/span> NULL)<\/span><\/span>\n    {<\/span><\/span>\n        <\/span>ZwClose<\/span>(eventHandle2);<\/span><\/span>\n    }<\/span><\/span>\n<\/span>\n    <\/span>if<\/span> (eventHandle3 <\/span>!=<\/span> NULL)<\/span><\/span>\n    {<\/span><\/span>\n        <\/span>ZwClose<\/span>(eventHandle3);<\/span><\/span>\n    }<\/span><\/span>\n<\/span>\n    <\/span>\/\/remove section<\/span><\/span>\n    <\/span>if<\/span> (sectionBaseAddress <\/span>!=<\/span> NULL)<\/span><\/span>\n        <\/span>ZwUnmapViewOfSection<\/span>(<\/span>NtCurrentProcess<\/span>(), sectionBaseAddress);<\/span><\/span>\n    <\/span>if<\/span> (sectionHandle <\/span>!=<\/span> NULL)<\/span><\/span>\n        <\/span>ZwClose<\/span>(sectionHandle);<\/span><\/span>\n<\/span>\n<\/span>\n    <\/span>\/\/Delete Sym link n Device<\/span><\/span>\n    UNICODE_STRING uncLinkName;<\/span><\/span>\n    <\/span>RtlInitUnicodeString<\/span>(<\/span>&<\/span>uncLinkName, g_szDeviceLnkName);<\/span><\/span>\n<\/span>\n    status <\/span>=<\/span> <\/span>IoDeleteSymbolicLink<\/span>(<\/span>&<\/span>uncLinkName);<\/span><\/span>\n    <\/span>if<\/span> (<\/span>!<\/span>NT_SUCCESS<\/span>(status))<\/span><\/span>\n    {<\/span><\/span>\n        <\/span>DbgPrintEx<\/span>(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,<\/span><\/span>\n            <\/span>"<\/span>[EasyAntiCheat_EOS] DriverUnload::Unable to delete SymbolicLink NTSTATUS -> % u <\/span>\\n<\/span>"<\/span>, status);<\/span><\/span>\n    }<\/span><\/span>\n<\/span>\n    <\/span>IoDeleteDevice<\/span>(pDriverObj<\/span>-><\/span>DeviceObject);<\/span><\/span>\n    <\/span>DbgPrintEx<\/span>(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, <\/span>"<\/span>[EasyAntiCheat_EOS]Driver Unload<\/span>\\n<\/span>"<\/span>);<\/span><\/span>\n}<\/span><\/span>\n<\/span>\nNTSTATUS <\/span>DispatchUnused<\/span>(PDEVICE_OBJECT pDevObj, PIRP pIrp)<\/span><\/span>\n{<\/span><\/span>\n    <\/span>UNREFERENCED_PARAMETER<\/span>(pDevObj);<\/span><\/span>\n    <\/span>UNREFERENCED_PARAMETER<\/span>(pIrp);<\/span><\/span>\n<\/span>\n<\/span>\n    NTSTATUS NtStatus <\/span>=<\/span> STATUS_SUCCESS;<\/span><\/span>\n    <\/span>return<\/span> NtStatus;<\/span><\/span>\n}<\/span><\/span>\n<\/span>\nNTSTATUS <\/span>DispatchCreate<\/span>(PDEVICE_OBJECT pDevObj, PIRP pIrp)<\/span><\/span>\n{<\/span><\/span>\n    <\/span>UNREFERENCED_PARAMETER<\/span>(pDevObj);<\/span><\/span>\n<\/span>\n    <\/span>DbgPrintEx<\/span>(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, <\/span>"<\/span>[EasyAntiCheat_EOS]Dispatch Create<\/span>\\n<\/span>"<\/span>);<\/span><\/span>\n<\/span>\n    pIrp<\/span>-><\/span>IoStatus.Status <\/span>=<\/span> STATUS_SUCCESS;<\/span><\/span>\n    pIrp<\/span>-><\/span>IoStatus.Information <\/span>=<\/span> <\/span>0<\/span>;<\/span><\/span>\n    <\/span>IoCompleteRequest<\/span>(pIrp, IO_NO_INCREMENT);<\/span><\/span>\n    <\/span>return<\/span> STATUS_SUCCESS;<\/span><\/span>\n}<\/span><\/span>\n<\/span>\nNTSTATUS <\/span>DispatchClose<\/span>(PDEVICE_OBJECT pDevObj, PIRP pIrp)<\/span><\/span>\n{<\/span><\/span>\n    <\/span>UNREFERENCED_PARAMETER<\/span>(pDevObj);<\/span><\/span>\n<\/span>\n    <\/span>DbgPrintEx<\/span>(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, <\/span>"<\/span>[EasyAntiCheat_EOS]Dispatch Close<\/span>\\n<\/span>"<\/span>);<\/span><\/span>\n<\/span>\n    pIrp<\/span>-><\/span>IoStatus.Status <\/span>=<\/span> STATUS_SUCCESS;<\/span><\/span>\n    pIrp<\/span>-><\/span>IoStatus.Information <\/span>=<\/span> <\/span>0<\/span>;<\/span><\/span>\n    <\/span>IoCompleteRequest<\/span>(pIrp, IO_NO_INCREMENT);<\/span><\/span>\n    <\/span>return<\/span> STATUS_SUCCESS;<\/span><\/span>\n}<\/span><\/span>\n<\/span>\nNTSTATUS <\/span>DispatchIoctl<\/span>(PDEVICE_OBJECT pDevObj, PIRP pIrp)<\/span><\/span>\n{<\/span><\/span>\n    <\/span>\/\/UNREFERENCED_PARAMETER(pDevObj);<\/span><\/span>\n<\/span>\n    NTSTATUS           status <\/span>=<\/span> STATUS_INVALID_DEVICE_REQUEST;<\/span><\/span>\n    PIO_STACK_LOCATION pIrpStack;<\/span><\/span>\n    ULONG              uIoControlCode;<\/span><\/span>\n    PVOID              pIoBuffer;<\/span><\/span>\n    ULONG              uInSize;<\/span><\/span>\n    ULONG              uOutSize;<\/span><\/span>\n<\/span>\n    pIrpStack <\/span>=<\/span> <\/span>IoGetCurrentIrpStackLocation<\/span>(pIrp);<\/span><\/span>\n    uIoControlCode <\/span>=<\/span> pIrpStack<\/span>-><\/span>Parameters.DeviceIoControl.IoControlCode;<\/span><\/span>\n    pIoBuffer <\/span>=<\/span> pIrp<\/span>-><\/span>AssociatedIrp.SystemBuffer;<\/span><\/span>\n    uInSize <\/span>=<\/span> pIrpStack<\/span>-><\/span>Parameters.DeviceIoControl.InputBufferLength;<\/span><\/span>\n    uOutSize <\/span>=<\/span> pIrpStack<\/span>-><\/span>Parameters.DeviceIoControl.OutputBufferLength;<\/span><\/span>\n<\/span>\n    <\/span>switch<\/span> (uIoControlCode)<\/span><\/span>\n    {<\/span><\/span>\n    <\/span>case<\/span> IOCTL_EAC_DEBUG_ECHO:<\/span><\/span>\n    {<\/span><\/span>\n        __try<\/span><\/span>\n        {<\/span><\/span>\n            <\/span>DbgPrintEx<\/span>(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, <\/span>"<\/span>[EasyAntiCheat_EOS]Hello from Ring0!<\/span>\\n<\/span>"<\/span>);<\/span><\/span>\n            status <\/span>=<\/span> STATUS_SUCCESS;<\/span><\/span>\n        }<\/span><\/span>\n        <\/span>__except<\/span> (EXCEPTION_EXECUTE_HANDLER)<\/span><\/span>\n        {<\/span><\/span>\n            status <\/span>=<\/span> STATUS_UNSUCCESSFUL;<\/span><\/span>\n        }<\/span><\/span>\n        <\/span>break<\/span>;<\/span><\/span>\n    }<\/span><\/span>\n    <\/span>case<\/span> IOCTL_EAC_UNK0: <\/span>\/\/0x226003<\/span><\/span>\n    {<\/span><\/span>\n        <\/span>DbgPrintEx<\/span>(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,<\/span><\/span>\n            <\/span>"<\/span>[EasyAntiCheat_EOS] TRIGGERED CHECK 0x226003 (InputBufferLength: %lu) (OutputBufferLength: %lu)<\/span>\\n<\/span>"<\/span>,<\/span><\/span>\n            uInSize, uOutSize);<\/span><\/span>\n<\/span>\n        unsigned char DummyReturnData[<\/span>4<\/span>] <\/span>=<\/span> { <\/span>0x19<\/span>, <\/span>0x04<\/span>, <\/span>0x00<\/span>, <\/span>0x00<\/span> };<\/span><\/span>\n<\/span>\n        PVOID pBuffer <\/span>=<\/span> pIrpStack<\/span>-><\/span>Parameters.DeviceIoControl.Type3InputBuffer;<\/span><\/span>\n<\/span>\n        <\/span>\/\/ Ensure pBuffer is valid and large enough<\/span><\/span>\n        <\/span>if<\/span> (pBuffer <\/span>!=<\/span> nullptr <\/span>&&<\/span> uOutSize <\/span>>=<\/span> <\/span>sizeof<\/span>(DummyReturnData))<\/span><\/span>\n        {<\/span><\/span>\n            <\/span>RtlCopyMemory<\/span>(pBuffer, <\/span>&<\/span>DummyReturnData[<\/span>0<\/span>], <\/span>sizeof<\/span>(DummyReturnData));<\/span><\/span>\n            uOutSize <\/span>=<\/span> <\/span>sizeof<\/span>(DummyReturnData);<\/span><\/span>\n            status <\/span>=<\/span> STATUS_SUCCESS;<\/span><\/span>\n            <\/span>DbgPrintEx<\/span>(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, <\/span>"<\/span>[EasyAntiCheat_EOS] RETURNING [19 04 00 00] <\/span>\\n<\/span>"<\/span>);<\/span><\/span>\n<\/span>\n            KIRQL oldIrql;<\/span><\/span>\n            <\/span>KeAcquireSpinLock<\/span>(<\/span>&<\/span>g_SpinLock, <\/span>&<\/span>oldIrql);<\/span><\/span>\n<\/span>\n            g_IsFirstCall <\/span>=<\/span> FALSE; <\/span>\/\/ Toggle<\/span><\/span>\n<\/span>\n            <\/span>KeReleaseSpinLock<\/span>(<\/span>&<\/span>g_SpinLock, oldIrql);<\/span><\/span>\n        }<\/span><\/span>\n        <\/span>else<\/span><\/span>\n        {<\/span><\/span>\n            uOutSize <\/span>=<\/span> <\/span>0<\/span>;<\/span><\/span>\n            status <\/span>=<\/span> STATUS_BUFFER_TOO_SMALL;<\/span><\/span>\n        }<\/span><\/span>\n<\/span>\n<\/span>\n        <\/span>break<\/span>;<\/span><\/span>\n    }<\/span><\/span>\n    <\/span>case<\/span> IOCTL_EAC_UNK1: <\/span>\/\/0x226013<\/span><\/span>\n    {<\/span><\/span>\n        <\/span>DbgPrintEx<\/span>(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, <\/span>"<\/span>[EasyAntiCheat_EOS] TRIGGERED CHECK 0x226013 <\/span>\\n<\/span>"<\/span>);<\/span><\/span>\n<\/span>\n        unsigned char DummyReturnDataA[<\/span>4<\/span>] <\/span>=<\/span> {<\/span><\/span>\n            <\/span>0x04<\/span>, <\/span>0x00<\/span>, <\/span>0x00<\/span>, <\/span>0x00<\/span><\/span>\n        };<\/span><\/span>\n<\/span>\n        unsigned char DummyReturnDataB[<\/span>4<\/span>] <\/span>=<\/span> {<\/span><\/span>\n            <\/span>0x01<\/span>, <\/span>0x00<\/span>, <\/span>0x00<\/span>, <\/span>0x00<\/span><\/span>\n        };<\/span><\/span>\n<\/span>\n<\/span>\n        PVOID pBuffer <\/span>=<\/span> pIrpStack<\/span>-><\/span>Parameters.DeviceIoControl.Type3InputBuffer;<\/span><\/span>\n<\/span>\n        <\/span>\/\/ Ensure pBuffer is valid and large enough<\/span><\/span>\n        <\/span>if<\/span> (pBuffer <\/span>!=<\/span> nullptr <\/span>&&<\/span> uOutSize <\/span>>=<\/span> <\/span>sizeof<\/span>(DummyReturnDataA))<\/span><\/span>\n        {<\/span><\/span>\n            KIRQL oldIrql;<\/span><\/span>\n            <\/span>KeAcquireSpinLock<\/span>(<\/span>&<\/span>g_SpinLock, <\/span>&<\/span>oldIrql);<\/span><\/span>\n<\/span>\n            <\/span>\/\/ Check the flag and toggle it<\/span><\/span>\n            <\/span>if<\/span> (g_IsFirstCall)<\/span><\/span>\n            {<\/span><\/span>\n                <\/span>RtlCopyMemory<\/span>(pBuffer, <\/span>&<\/span>DummyReturnDataA, <\/span>sizeof<\/span>(DummyReturnDataA));<\/span><\/span>\n                <\/span>DbgPrintEx<\/span>(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,<\/span><\/span>\n                    <\/span>"<\/span>[EasyAntiCheat_EOS] RETURNING [04 00 00 00] FIRST CALL <\/span>\\n<\/span>"<\/span>);<\/span><\/span>\n            }<\/span><\/span>\n            <\/span>else<\/span><\/span>\n            {<\/span><\/span>\n                <\/span>RtlCopyMemory<\/span>(pBuffer, <\/span>&<\/span>DummyReturnDataB, <\/span>sizeof<\/span>(DummyReturnDataB));<\/span><\/span>\n                <\/span>\/\/g_IsFirstCall = TRUE; \/\/ Reset for the next call<\/span><\/span>\n                <\/span>DbgPrintEx<\/span>(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,<\/span><\/span>\n                    <\/span>"<\/span>[EasyAntiCheat_EOS] RETURNING [01 00 00 00] SEC CALL <\/span>\\n<\/span>"<\/span>);<\/span><\/span>\n            }<\/span><\/span>\n<\/span>\n            <\/span>KeReleaseSpinLock<\/span>(<\/span>&<\/span>g_SpinLock, oldIrql);<\/span><\/span>\n<\/span>\n            uOutSize <\/span>=<\/span> <\/span>sizeof<\/span>(DummyReturnDataA);<\/span><\/span>\n            status <\/span>=<\/span> STATUS_SUCCESS;<\/span><\/span>\n        }<\/span><\/span>\n        <\/span>else<\/span><\/span>\n        {<\/span><\/span>\n            uOutSize <\/span>=<\/span> <\/span>0<\/span>;<\/span><\/span>\n            status <\/span>=<\/span> STATUS_BUFFER_TOO_SMALL;<\/span><\/span>\n        }<\/span><\/span>\n<\/span>\n        <\/span>break<\/span>;<\/span><\/span>\n    }<\/span><\/span>\n    <\/span>case<\/span> IOCTL_EAC_UNK2: <\/span>\/\/0x22e017<\/span><\/span>\n    {<\/span><\/span>\n        <\/span>DbgPrintEx<\/span>(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, <\/span>"<\/span>[EasyAntiCheat_EOS] TRIGGERED CHECK 0x22e017<\/span>\\n<\/span>"<\/span>);<\/span><\/span>\n        status <\/span>=<\/span> STATUS_SUCCESS;<\/span><\/span>\n        <\/span>break<\/span>;<\/span><\/span>\n    }<\/span><\/span>\n    <\/span>default<\/span>:<\/span><\/span>\n    {<\/span><\/span>\n        <\/span>DbgPrintEx<\/span>(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, <\/span>"<\/span>[EasyAntiCheat_EOS] Triggered Unknown IOCTL: [%x] <\/span>\\n<\/span>"<\/span>,<\/span><\/span>\n            uIoControlCode);<\/span><\/span>\n        <\/span>break<\/span>;<\/span><\/span>\n    }<\/span><\/span>\n    } <\/span>\/\/Switch End<\/span><\/span>\n<\/span>\n    <\/span>if<\/span> (status <\/span>==<\/span> STATUS_SUCCESS)<\/span><\/span>\n        pIrp<\/span>-><\/span>IoStatus.Information <\/span>=<\/span> uOutSize;<\/span><\/span>\n    <\/span>else<\/span><\/span>\n        pIrp<\/span>-><\/span>IoStatus.Information <\/span>=<\/span> <\/span>0<\/span>;<\/span><\/span>\n<\/span>\n    pIrp<\/span>-><\/span>IoStatus.Status <\/span>=<\/span> status;<\/span><\/span>\n<\/span>\n    <\/span>IoCompleteRequest<\/span>(pIrp, IO_NO_INCREMENT);<\/span><\/span>\n    <\/span>return<\/span> status;<\/span><\/span>\n}<\/span><\/span>\n<\/span>\nNTSTATUS <\/span>DriverEntry<\/span>(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING RegistryPath)<\/span><\/span>\n{<\/span><\/span>\n    <\/span>\/\/UNREFERENCED_PARAMETER(pRegistryString);<\/span><\/span>\n<\/span>\n    NTSTATUS       status <\/span>=<\/span> STATUS_SUCCESS;<\/span><\/span>\n    UNICODE_STRING uncDeviceName;<\/span><\/span>\n    UNICODE_STRING uncLinkName;<\/span><\/span>\n<\/span>\n    <\/span>\/\/set global var<\/span><\/span>\n    g_pDriverObject <\/span>=<\/span> pDriverObj;<\/span><\/span>\n<\/span>\n<\/span>\n    <\/span>\/\/Check Unicode String<\/span><\/span>\n    status <\/span>=<\/span> <\/span>RtlUnicodeStringValidate<\/span>(RegistryPath);<\/span><\/span>\n    <\/span>if<\/span> (<\/span>!<\/span>NT_SUCCESS<\/span>(status))<\/span><\/span>\n    {<\/span><\/span>\n        <\/span>return<\/span> STATUS_INVALID_PARAMETER;<\/span><\/span>\n    }<\/span><\/span>\n<\/span>\n<\/span>\n<\/span>\n    <\/span>\/\/setup the MajorFunctions to nothing first<\/span><\/span>\n    <\/span>for<\/span> (int i <\/span>=<\/span> <\/span>0<\/span>; i <\/span><<\/span> IRP_MJ_MAXIMUM_FUNCTION; i<\/span>++<\/span>)<\/span><\/span>\n        pDriverObj<\/span>-><\/span>MajorFunction[i] <\/span>=<\/span> DispatchUnused;<\/span><\/span>\n<\/span>\n    pDriverObj<\/span>-><\/span>MajorFunction[IRP_MJ_CREATE] <\/span>=<\/span> DispatchCreate;<\/span><\/span>\n    pDriverObj<\/span>-><\/span>MajorFunction[IRP_MJ_CLOSE] <\/span>=<\/span> DispatchClose;<\/span><\/span>\n    pDriverObj<\/span>-><\/span>MajorFunction[IRP_MJ_DEVICE_CONTROL] <\/span>=<\/span> DispatchIoctl;<\/span><\/span>\n    pDriverObj<\/span>-><\/span>DriverUnload <\/span>=<\/span> DriverUnload;<\/span><\/span>\n<\/span>\n<\/span>\n    <\/span>\/\/ extract the driver name from the registry path<\/span><\/span>\n    LPCWSTR szDriverName <\/span>=<\/span> <\/span>wcsrchr<\/span>(RegistryPath<\/span>-><\/span>Buffer, L<\/span>'<\/span>\\\\<\/span>'<\/span>);<\/span><\/span>\n    <\/span>if<\/span> (szDriverName <\/span>==<\/span> nullptr)<\/span><\/span>\n        <\/span>return<\/span> STATUS_INVALID_PARAMETER;<\/span><\/span>\n    szDriverName<\/span>++<\/span>;<\/span><\/span>\n<\/span>\n<\/span>\n    szDriverName <\/span>=<\/span> L<\/span>"<\/span>EasyAntiCheat_EOS<\/span>"<\/span>;<\/span><\/span>\n<\/span>\n    <\/span>\/\/Make Device Name : \\\\Device\\\\BEDaisy<\/span><\/span>\n    status <\/span>=<\/span> <\/span>RtlStringCchPrintfW<\/span>(g_szDeviceName, <\/span>ARRAYSIZE<\/span>(g_szDeviceName), L<\/span>"<\/span>\\\\<\/span>Device<\/span>\\\\<\/span>%ws<\/span>"<\/span>, szDriverName);<\/span><\/span>\n    <\/span>if<\/span> (<\/span>!<\/span>NT_SUCCESS<\/span>(status))<\/span><\/span>\n        <\/span>return<\/span> STATUS_INVALID_PARAMETER;<\/span><\/span>\n<\/span>\n    <\/span>\/\/convert the device name to a unicode string struct<\/span><\/span>\n    <\/span>RtlInitUnicodeString<\/span>(<\/span>&<\/span>uncDeviceName, g_szDeviceName);<\/span><\/span>\n<\/span>\n<\/span>\n    <\/span>\/\/Make Symbolic Link : \\\\DosDevices\\\\Global\\\\BEMapr  \\\\DosDevices\\\\BEMapr<\/span><\/span>\n    <\/span>if<\/span> (<\/span>IoIsWdmVersionAvailable<\/span>(<\/span>1<\/span>, <\/span>0x10<\/span>))<\/span><\/span>\n        status <\/span>=<\/span> <\/span>RtlStringCchPrintfW<\/span>(g_szDeviceLnkName, <\/span>ARRAYSIZE<\/span>(g_szDeviceLnkName), L<\/span>"<\/span>\\\\<\/span>DosDevices<\/span>\\\\<\/span>Global<\/span>\\\\<\/span>%ws<\/span>"<\/span>,<\/span><\/span>\n            szDriverName);<\/span><\/span>\n    <\/span>else<\/span><\/span>\n        status <\/span>=<\/span> <\/span>RtlStringCchPrintfW<\/span>(g_szDeviceLnkName, <\/span>ARRAYSIZE<\/span>(g_szDeviceLnkName), L<\/span>"<\/span>\\\\<\/span>DosDevices<\/span>\\\\<\/span>%ws<\/span>"<\/span>,<\/span><\/span>\n            szDriverName);<\/span><\/span>\n<\/span>\n    <\/span>if<\/span> (<\/span>!<\/span>NT_SUCCESS<\/span>(status))<\/span><\/span>\n        <\/span>return<\/span> STATUS_INVALID_PARAMETER;<\/span><\/span>\n<\/span>\n<\/span>\n    <\/span>\/\/ convert the symlink to a unicode string struct<\/span><\/span>\n    <\/span>RtlInitUnicodeString<\/span>(<\/span>&<\/span>uncLinkName, g_szDeviceLnkName);<\/span><\/span>\n<\/span>\n<\/span>\n    <\/span>\/\/ create device<\/span><\/span>\n    status <\/span>=<\/span> <\/span>IoCreateDevice<\/span>(pDriverObj, <\/span>0<\/span>, <\/span>&<\/span>uncDeviceName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE,<\/span><\/span>\n        <\/span>&<\/span>g_pDeviceObject);<\/span><\/span>\n    <\/span>if<\/span> (<\/span>!<\/span>NT_SUCCESS<\/span>(status))<\/span><\/span>\n    {<\/span><\/span>\n        <\/span>DbgPrintEx<\/span>(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, <\/span>"<\/span>[EasyAntiCheat_EOS] IoCreateDevice Failed %u <\/span>\\n<\/span>"<\/span>, status);<\/span><\/span>\n        <\/span>return<\/span> status;<\/span><\/span>\n    }<\/span><\/span>\n<\/span>\n    <\/span>\/\/setup flags for buffered io<\/span><\/span>\n    g_pDeviceObject<\/span>-><\/span>Flags <\/span>|=<\/span> DO_BUFFERED_IO;<\/span><\/span>\n<\/span>\n    <\/span>\/\/ create link<\/span><\/span>\n    status <\/span>=<\/span> <\/span>IoCreateSymbolicLink<\/span>(<\/span>&<\/span>uncLinkName, <\/span>&<\/span>uncDeviceName);<\/span><\/span>\n    <\/span>if<\/span> (<\/span>!<\/span>NT_SUCCESS<\/span>(status))<\/span><\/span>\n    {<\/span><\/span>\n        <\/span>DbgPrintEx<\/span>(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, <\/span>"<\/span>[EasyAntiCheat_EOS] IoCreateSymbolicLink Failed %u <\/span>\\n<\/span>"<\/span>,<\/span><\/span>\n            status);<\/span><\/span>\n        <\/span>IoDeleteDevice<\/span>(g_pDeviceObject);<\/span><\/span>\n        <\/span>return<\/span> status;<\/span><\/span>\n    }<\/span><\/span>\n<\/span>\n    <\/span>\/\/init spinlock<\/span><\/span>\n    <\/span>KeInitializeSpinLock<\/span>(<\/span>&<\/span>g_SpinLock);<\/span><\/span>\n<\/span>\n    <\/span>\/\/make events<\/span><\/span>\n    status <\/span>=<\/span> <\/span>CreateNamedEvent<\/span>(L<\/span>"<\/span>\\\\<\/span>BaseNamedObjects<\/span>\\\\<\/span>EasyAntiCheat_EOSEventDriver<\/span>"<\/span>, <\/span>&<\/span>eventHandle1);<\/span><\/span>\n    <\/span>if<\/span> (<\/span>!<\/span>NT_SUCCESS<\/span>(status))<\/span><\/span>\n    {<\/span><\/span>\n        <\/span>DbgPrintEx<\/span>(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,<\/span><\/span>\n            <\/span>"<\/span>[EasyAntiCheat_EOS] CreateNamedEvent Failed %u for [EasyAntiCheat_EOSEventDriver] <\/span>\\n<\/span>"<\/span>, status);<\/span><\/span>\n        eventHandle1 <\/span>=<\/span> NULL;<\/span><\/span>\n    }<\/span><\/span>\n<\/span>\n    status <\/span>=<\/span> <\/span>CreateNamedEvent<\/span>(L<\/span>"<\/span>\\\\<\/span>BaseNamedObjects<\/span>\\\\<\/span>EasyAntiCheat_EOSEventGame<\/span>"<\/span>, <\/span>&<\/span>eventHandle2);<\/span><\/span>\n    <\/span>if<\/span> (<\/span>!<\/span>NT_SUCCESS<\/span>(status))<\/span><\/span>\n    {<\/span><\/span>\n        <\/span>DbgPrintEx<\/span>(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,<\/span><\/span>\n            <\/span>"<\/span>[EasyAntiCheat_EOS] CreateNamedEvent Failed %u for [EasyAntiCheat_EOSEventGame] <\/span>\\n<\/span>"<\/span>, status);<\/span><\/span>\n        eventHandle2 <\/span>=<\/span> NULL;<\/span><\/span>\n    }<\/span><\/span>\n<\/span>\n    status <\/span>=<\/span> <\/span>CreateNamedEvent<\/span>(L<\/span>"<\/span>\\\\<\/span>BaseNamedObjects<\/span>\\\\<\/span>EasyAntiCheat_EOSEventModule<\/span>"<\/span>, <\/span>&<\/span>eventHandle3);<\/span><\/span>\n    <\/span>if<\/span> (<\/span>!<\/span>NT_SUCCESS<\/span>(status))<\/span><\/span>\n    {<\/span><\/span>\n        <\/span>DbgPrintEx<\/span>(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,<\/span><\/span>\n            <\/span>"<\/span>[EasyAntiCheat_EOS] CreateNamedEvent Failed %u for [EasyAntiCheat_EOSEventModule] <\/span>\\n<\/span>"<\/span>, status);<\/span><\/span>\n        eventHandle3 <\/span>=<\/span> NULL;<\/span><\/span>\n    }<\/span><\/span>\n<\/span>\n    <\/span>\/\/Create section<\/span><\/span>\n    LARGE_INTEGER maximumSize;<\/span><\/span>\n    NTSTATUS      sectionCreateStatus <\/span>=<\/span> <\/span>CreateFakeEACSection<\/span>(<\/span>&<\/span>sectionHandle, <\/span>&<\/span>maximumSize);<\/span><\/span>\n    <\/span>if<\/span> (<\/span>NT_SUCCESS<\/span>(sectionCreateStatus))<\/span><\/span>\n    {<\/span><\/span>\n        sectionBaseAddress <\/span>=<\/span> NULL;<\/span><\/span>\n        SIZE_T viewSize <\/span>=<\/span> <\/span>0<\/span>;<\/span><\/span>\n        status <\/span>=<\/span> <\/span>ZwMapViewOfSection<\/span>(sectionHandle, <\/span>NtCurrentProcess<\/span>(), <\/span>&<\/span>sectionBaseAddress, <\/span>0<\/span>, <\/span>0<\/span>, NULL, <\/span>&<\/span>viewSize,<\/span><\/span>\n            ViewShare, <\/span>0<\/span>, PAGE_READWRITE);<\/span><\/span>\n        <\/span>if<\/span> (<\/span>!<\/span>NT_SUCCESS<\/span>(status))<\/span><\/span>\n        {<\/span><\/span>\n            <\/span>ZwClose<\/span>(sectionHandle);<\/span><\/span>\n            <\/span>DbgPrintEx<\/span>(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,<\/span><\/span>\n                <\/span>"<\/span>[EasyAntiCheat_EOS]CreateFakeEACSection ZwMapViewOfSection Failed: %u <\/span>\\n<\/span>"<\/span>, status);<\/span><\/span>\n        }<\/span><\/span>\n        <\/span>else<\/span><\/span>\n        {<\/span><\/span>\n            <\/span>RtlZeroMemory<\/span>(sectionBaseAddress, maximumSize.QuadPart);<\/span><\/span>\n            <\/span>DbgPrintEx<\/span>(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,<\/span><\/span>\n                <\/span>"<\/span>[EasyAntiCheat_EOS] CreateFakeEACSection [EasyAntiCheat_EOSBin] <\/span>\\n<\/span>"<\/span>);<\/span><\/span>\n        }<\/span><\/span>\n    }<\/span><\/span>\n    <\/span>else<\/span><\/span>\n    {<\/span><\/span>\n        <\/span>DbgPrintEx<\/span>(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, <\/span>"<\/span>[EasyAntiCheat_EOS]CreateFakeEACSection Failed: %u <\/span>\\n<\/span>"<\/span>,<\/span><\/span>\n            sectionCreateStatus);<\/span><\/span>\n    }<\/span><\/span>\n<\/span>\n<\/span>\n    <\/span>DbgPrintEx<\/span>(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, <\/span>"<\/span>[EasyAntiCheat_EOS]Driver Loaded <\/span>\\n<\/span>"<\/span>);<\/span><\/span>\n    <\/span>DbgPrintEx<\/span>(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, <\/span>"<\/span>[EasyAntiCheat_EOS]Name: %wZ LinkName : %wZ <\/span>\\n<\/span>"<\/span>, uncDeviceName,<\/span><\/span>\n        uncLinkName);<\/span><\/span>\n<\/span>\n    <\/span>return<\/span> STATUS_SUCCESS;<\/span><\/span>\n}<\/span><\/span>\n<\/span><\/code><\/pre>
<\/div>Expand<\/span><\/div><\/div>\n\n\n\n
<\/div>\n\n\n\n
2. Creating a custom Launcher<\/h3>\n\n\n\n
To directly launch the game without going through the EAC startup, we develop a custom launcher to replace the existing one in the game folder. Another option is to hook Steam when it initiates the process, but we are going with replacing the launcher for this.<\/p>\n\n\n\n
Here’s the code for our launcher:<\/strong><\/p>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
void<\/span> <\/span>LauncherTest<\/span>(<\/span>int<\/span> <\/span>argc<\/span>, <\/span>char**<\/span> <\/span>argv<\/span>)<\/span><\/span>\n{<\/span><\/span>\n    STARTUPINFOA processStartupInfo{<\/span>0<\/span>};<\/span><\/span>\n    processStartupInfo.cb <\/span>=<\/span> <\/span>sizeof<\/span>(processStartupInfo);<\/span> \/\/ setup size of strcture in bytes<\/span><\/span>\n    PROCESS_INFORMATION processInfo{<\/span>nullptr<\/span>};<\/span><\/span>\n<\/span>\n<\/span>\n    \/\/ Main .exe (Like Discovery.exe, FC24.exe, or any other)<\/span><\/span>\n    <\/span>auto<\/span> commandLineToExecute <\/span>=<\/span> <\/span>FormarString<\/span>(<\/span>xorstr_<\/span>(<\/span>R"(<\/span>"C:\\Program Files (x86)\\Steam\\steamapps\\common\\The Finals\\Discovery\\Binaries\\Win64\\Discovery.exe"<\/span>)"<\/span>), <\/span>ExePath<\/span>().<\/span>c_str<\/span>());<\/span><\/span>\n<\/span>\n<\/span>\n    \/\/ Load the arguments passed by the game itself. We can skip any if we want<\/span><\/span>\n    <\/span>for<\/span> (<\/span>int<\/span> i <\/span>=<\/span> <\/span>1<\/span>; i <\/span><<\/span> argc; i<\/span>++<\/span>)<\/span><\/span>\n    {<\/span><\/span>\n        \/\/ Add the argument to the command line<\/span><\/span>\n        commandLineToExecute <\/span>=<\/span> commandLineToExecute.<\/span>append<\/span>(<\/span>FormarString<\/span>(<\/span>"<\/span> <\/span>%s<\/span>"<\/span>, argv[i]));<\/span><\/span>\n    }<\/span><\/span>\n<\/span>\n    \/\/ Append Extra commands<\/span><\/span>\n    commandLineToExecute.<\/span>append<\/span>(<\/span>xorstr_<\/span>(<\/span>R"(<\/span> Discovery<\/span>)"<\/span>));<\/span><\/span>\n<\/span>\n    <\/span>auto<\/span> result <\/span>=<\/span> <\/span>CreateProcessA<\/span>(<\/span>nullptr<\/span>, (LPSTR)commandLineToExecute.<\/span>c_str<\/span>(), <\/span>nullptr<\/span>, <\/span>nullptr<\/span>, <\/span>false<\/span>, <\/span>0<\/span>,<\/span><\/span>\n                                               <\/span>nullptr<\/span>,<\/span><\/span>\n                                               <\/span>nullptr<\/span>,<\/span><\/span>\n                                               <\/span>&<\/span>processStartupInfo, <\/span>&<\/span>processInfo);<\/span><\/span>\n<\/span>\n   <\/span>auto<\/span>  getlasterror <\/span>=<\/span> <\/span>GetLastError<\/span>();<\/span><\/span>\n    std<\/span>::<\/span>cout <\/span><<<\/span> <\/span>"<\/span>error: <\/span>"<\/span> <\/span><<<\/span> getlasterror <\/span><<<\/span> std<\/span>::<\/span>endl;<\/span><\/span>\n    std<\/span>::<\/span>cout <\/span><<<\/span> <\/span>"<\/span>CreateProcessA: <\/span>"<\/span> <\/span><<<\/span> result <\/span><<<\/span> std<\/span>::<\/span>endl;<\/span><\/span>\n<\/span>\n    <\/span>if<\/span> (getlasterror)<\/span><\/span>\n    {<\/span><\/span>\n        <\/span>CloseHandle<\/span>(processInfo.hProcess);<\/span><\/span>\n        <\/span>CloseHandle<\/span>(processInfo.hThread);<\/span><\/span>\n    }<\/span><\/span>\n    <\/span><\/span>\n    <\/span>Sleep<\/span>(<\/span>5000<\/span>);<\/span><\/span>\n}<\/span><\/span>\n<\/span>\n<\/span>\nint<\/span> <\/span>main<\/span>(<\/span>int<\/span> <\/span>argc<\/span>, <\/span>char**<\/span> <\/span>argv<\/span>)<\/span><\/span>\n{<\/span><\/span>\n    <\/span>LauncherTest<\/span>(argc, argv);<\/span><\/span>\n    <\/span>return<\/span> <\/span>0<\/span>;<\/span><\/span>\n}<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
<\/p>\n\n\n\n
Once compiled, rename it to Discovery<\/strong>.exe<\/strong> and replace the one at: C:\\Program Files (x86)\\Steam\\steamapps\\common\\The Finals<\/strong><\/p>\n\n\n\n
<\/p>\n\n\n\n
3. EOS SDK<\/h2>\n\n\n\n
The EOS SDK, provided by Epic Games, is a comprehensive set of services and tools for streamlined online game development. It offers various functionalities such as cross-platform play, matchmaking, anti-cheat measures, lobbies, achievements, leaderboards, and more. <\/p>\n\n\n\n
To be able to get the game running, we need to address EOS as well. Since we are using our fake EAC driver, we have two options: either simulate the EOS functions by loading a proxy DLL<\/strong> and handling the requests, or completely remove it. <\/strong><\/p>\n\n\n\n
Surprisingly, we can simply delete or rename the EOSSDK-Win64-Shipping.dll<\/em> file located at C:\\Program Files (x86)\\Steam\\steamapps\\common\\The Finals\\Engine\\Binaries\\Win64<\/em>, and the game will still launch successfully.<\/p>\n\n\n\n
After that we have the game running. <\/p>\n\n\n\n
<\/p>\n\n\n\n
4. Understading the page obsfucation<\/h3>\n\n\n\n
The Discovery.exe<\/em> game is made up of three allocations.<\/strong> The first allocation has the encrypted pages marked as PAGE_NOACCESS<\/strong>, the second allocation has the pages marked as RW<\/strong> and the encrypted pages contain the byte 0xCC<\/strong>, and the third and last page contain the encrypted bytes.<\/strong><\/p>\n\n\n\n
\n\n\n\n
<\/p>\n\n\n\n
How the decryption process works?<\/h4>\n\n\n\n
When the game attempts to access an encrypted page, it causes an exception known as EXCEPTION_ACCESS_VIOLATION<\/strong>. This exception is then caught by a handler, where some checks are performed. If everything is deemed fine, the page is decrypted and marked as RX, then the execution resumes. It is important to note that the exception is not triggered by attempting to READ\/WRITE<\/strong> the page, either from the game module or their module runtime.dll; rather, the page must be executed to initiate the decryption process.<\/em><\/p>\n\n\n\n
After a while the pages are encrypted back and marked as PAGE_NOACCESS<\/strong> again.<\/p>\n\n\n\n
<\/p>\n\n\n\n
5. Decrypting it<\/h2>\n\n\n\n
There are several methods available for decrypting a page. One approach involves executing the page, which triggers the decryption routine. As a result, the page will contain the decrypted code and be marked as RX. Achieving this is relatively straightforward. We can either create an assembly shellcode that jumps or calls a specific function in the encrypted page, or alternatively, we can create a thread and pass the encrypted page address as the routine.<\/p>\n\n\n\n
Keep in mind that if we provide an encrypted page address to the CreateThread function and it encounters a faulty instruction, the entire program will crash. However, there is a simple solution available. We can register our own exception handler, catch the error, and exit the thread without any concern. The same applies when creating a shellcode.<\/p>\n\n\n\n
<\/div>\n\n\n\n